package com.github.cyf.controller;

import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import com.github.cyf.common.model.Rs;
import com.github.cyf.domain.po.Comment;
import com.github.cyf.service.CommentService;
import com.github.xiaoymin.knife4j.annotations.ApiOperationSupport;
import com.github.xiaoymin.knife4j.annotations.ApiSupport;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import java.util.List;
import java.util.UUID;

/**
 * <p>
 *  前端控制器
 * </p>
 *
 * @author chenyifan
 * @since 2024-11-06
 */
@RestController
@RequestMapping("/xss")
@Api(tags = "3、XSS攻击测试")
@ApiSupport(order = 3)
public class XssController {

    @Autowired
    private CommentService xssContentService;

    // ---------------------------------- 反射型XSS --------------------------------------------

    /**
     * 反射型 xss：输入内容后会反馈，如果输入js代码就会造成漏洞，那么攻击者可以构造链接去诱导用户点击，从而拿到用户的隐私数据
     * <script>alert('XSS')</script>
     * <script>alert(document.cookie)</script>
     */
    @ApiOperation("搜索内容")
    @ApiOperationSupport(order = 1)
    @GetMapping("/search")
    public String show(String content) {
        StringBuilder builder = new StringBuilder();
        builder.append("您搜索的关键词").append(content).append("结果如下：\n");
        builder.append(UUID.randomUUID()).append("\n");
        builder.append(UUID.randomUUID()).append("\n");
        builder.append(UUID.randomUUID()).append("\n");
        return builder.toString();
    }


    // ---------------------------------- 存储型XSS --------------------------------------------

    /**
     *  <script>alert('XSS')</script>
     *  <script>alert(document.cookie)</script>
     */
    @ApiOperation("添加内容")
    @ApiOperationSupport(order = 1)
    @PostMapping("/add")
    public Rs add(Comment comment) {
        xssContentService.save(comment);
        return Rs.ok();
    }

    @ApiOperation("获取内容")
    @ApiOperationSupport(order = 2)
    @GetMapping("/content")
    public String getContent(Integer index) {
        LambdaQueryWrapper<Comment> wrapper = new LambdaQueryWrapper<>();
        wrapper.eq(Comment::getType, 1);
        List<Comment> list = xssContentService.list(wrapper);
        return list.get(Math.min(index, list.size()) - 1).getContent();
    }

    @ApiOperation("获取图片")
    @ApiOperationSupport(order = 3)
    @GetMapping("/image")
    public String getImage(Integer index) {
        LambdaQueryWrapper<Comment> wrapper = new LambdaQueryWrapper<>();
        wrapper.eq(Comment::getType, 2);
        List<Comment> list = xssContentService.list(wrapper);
        String imageUrl = list.get(Math.min(index, list.size()) - 1).getContent();
        return "<image src= " + imageUrl + " >";
    }
}